View Full Version : PC infected and popups everywhare
dafunk
08-29-2007, 11:44 AM
Hello,
I'm running a Sony Vaio desktop with WinXP SP2. It was running great when all of a sudden one day I started getting all kind of popups (credit card offers,spyware un-installers, dating sites ...) and the computer is very slow. It takes about 5 ministers to start up and
to get on the Internet is almost impossible. It is so slow and I'm getting all error messages and popups. I tried running AVG but it errors out and Ad-aware freezes when it gets near the end.
My hijackthis log shows all kinds of junk.:eek:
Thanks in advance for any help :)
Here is my Hjt log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:40:29 AM, on 8/29/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\WINDOWS\Kg\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe
C:\WINDOWS\retadpu1000106.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\AOL\1187911096\ee\AOLSoftware.exe
C:\Program Files\Common Files\horyg22011.exe
C:\WINDOWS\system32\qwinkmdt.exe
C:\WINDOWS\System32\regscan.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\User\svchost.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-142\wirelesscm.exe
C:\WINDOWS\system32\ljdsrngo.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msbind32.exe
C:\Documents and Settings\User\Desktop\util\HiJackThis_v2.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: 0 - {4392A0FA-4F14-44F6-08A7-1C204C279D53} - C:\Program Files\Windows NT\lavukacys174.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\l3acdb.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\WebAssist.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {C20F311D-626B-454E-85A0-6E9BA61E157A} - C:\WINDOWS\System32\jkhfd.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\System32\fomcvbqg.dll
O2 - BHO: msscds32.msdn_hlp - {C934903B-61BE-403A-BC70-D738DAF43B8E} - C:\WINDOWS\System32\msscds32.dll
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {E9BD0828-1FD9-410C-A50F-43EBE65D310F} - C:\WINDOWS\System32\rqrrono.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [{18-86-6D-D7-ZN}] C:\WINDOWS\system32\ljdsrngo.exe CHD003
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\System32\agerltuc.dll",forkonce
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1187911096\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [horyg] C:\Program Files\Common Files\horyg22011.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\qwinkmdt.exe CHD003
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Regscan] C:\WINDOWS\System32\regscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\User\svchost.exe
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\System32\drivers\svchost.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\ljdsrngo.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\qwinkmdt.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HP LaserJet Director.lnk = C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppdirector.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - [url]http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctor2006FreeInstall.cab[/url]
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - [url]http://drivecleaner.com/.freeware/installdrivecleanerstart.cab[/url]
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht![url]http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx[/url]
O20 - Winlogon Notify: aeskap - C:\WINDOWS\SYSTEM32\aeskap.dll
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\System32\jkhfd.dll
O20 - Winlogon Notify: rqrrono - C:\WINDOWS\SYSTEM32\rqrrono.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Kg\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows NT\profsyxyvir.html
--
End of file - 8984 bytes
Budfred
08-29-2007, 08:47 PM
Yeah, you are pretty massively infected... This is probably mostly because your computer security has holes in it that you can drive a virus truck through, but we will deal with that in a while... In the meanwhile, until this is cleaned up, please stay off the internet as much as possible, do not install any new programs that are not needed for cleanup and do NOT do any financial transactions on this computer on the internet...
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall...
If that link doesn't work, try this one:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
dafunk
08-30-2007, 08:52 PM
Hello, Thanks for your help
Before your I seen your responce I was able to run get Anti-spyware and AVG to run finally. They took forever but boh removed tons of trojans.
at least thats what they say they did.
Once I seen your post I downloaded ComboFix and followed your instructions.
And here is the log in the next reply:
dafunk
08-30-2007, 08:55 PM
part 1:
ComboFix 07-08-30.3 - "User" 2007-08-30 17:37:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.80 [GMT -4:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\Program Files\Common Files\horyg22011.exe
C:\Program Files\inetget2
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\b104.exe
C:\WINDOWS\bi.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\DOWNLO~1\UDC6_0001_D19M1908NetInstaller .exe
C:\WINDOWS\DOWNLO~1\USDR6_0001_D19M2108NetInstalle r.exe
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\180ax.exe
C:\WINDOWS\system32\bi.dll
C:\WINDOWS\system32\biprep.exe
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jp g
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.g if
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.g if
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.g if
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button. gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gi f
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\l3acdb.dll
C:\WINDOWS\system32\msbind32.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\regscan.exe
C:\WINDOWS\system32\salm.exe
C:\WINDOWS\system32\satmat.exe
C:\WINDOWS\system32\susp.exe
C:\WINDOWS\system32\updatetc.exe
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\voiceip.dll
C:\WINDOWS\WebAssist.dll
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_DRIVER
-------\Driver
((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-30 )))))))))))))))))))))))))))))))
2007-08-30 17:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 08:05 1,610,082 ---hs---- C:\WINDOWS\system32\dfhkj.ini2
2007-08-29 17:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-29 17:38 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 17:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 17:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-29 07:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-29 07:41 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-29 07:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-28 20:17 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 16:27 8,192 --a------ C:\WINDOWS\system32\aeskap.dll
2007-08-25 16:27 2,432 --a------ C:\WINDOWS\system32\nvmapi.sys
2007-08-25 15:46 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-08-25 15:46 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-08-25 15:46 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Freeware
2007-08-25 15:33 <DIR> d--hs---- C:\WINDOWS\Kg
2007-08-25 15:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-23 19:23 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\AOL
2007-08-23 19:21 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-08-23 19:19 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2007-08-23 19:18 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-23 19:18 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-08-23 19:18 <DIR> d-------- C:\Program Files\AOL 9.0
2007-08-23 19:16 3,638 --a------ C:\WINDOWS\tpbb43lk.exe
2007-08-23 19:16 18,169 --a------ C:\WINDOWS\system32\sysalgg.exe
2007-08-23 10:02 1,609,400 --ahs---- C:\WINDOWS\system32\dfhkj.bak2
2007-08-22 22:02 6,473 --ahs---- C:\WINDOWS\system32\dfhkj.bak1
2007-08-22 21:57 52,772 --a------ C:\WINDOWS\system32\ljdsrngo.exe
2007-08-22 21:51 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-22 21:51 <DIR> d-------- C:\WINDOWS\system32\cofig32
2007-08-21 22:51 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\MSN6
2007-08-21 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-21 22:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-21 22:42 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-21 22:42 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-21 20:57 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-08-21 20:57 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-08-21 20:57 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-08-21 20:57 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-08-21 20:57 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-08-21 20:57 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-08-21 20:51 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-20 20:58 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-19 19:27 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\acccore
2007-08-19 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-19 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-19 19:26 <DIR> d-------- C:\Program Files\Viewpoint
2007-08-19 19:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-19 19:25 335 --a------ C:\WINDOWS\nsreg.dat
2007-08-19 19:25 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-08-19 19:25 <DIR> d-------- C:\Program Files\AIM6
2007-08-19 19:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-19 18:48 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-08-19 18:45 476,544 --a------ C:\WINDOWS\system32\drivers\MRVW245.sys
dafunk
08-30-2007, 08:57 PM
Part 2:
2007-08-19 18:45 <DIR> d-------- C:\WINDOWS\USBdevice
2007-08-19 18:45 <DIR> d-------- C:\temp
2007-08-19 18:45 <DIR> d-------- C:\Program Files\D-Link
2007-08-08 21:02 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-07 16:25 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-08-07 16:23 <DIR> d-------- C:\Program Files\Cat Daddy Games
2007-08-06 11:19 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-05 17:45 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2007-08-05 17:38 <DIR> d-------- C:\Program Files\Belkin
2007-07-09 09:33 51,072 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2007-07-09 09:33 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-07-09 09:33 22,016 --a--c--- C:\WINDOWS\system32\dllcache\mouclass.sys
2007-07-09 09:33 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-07-09 09:33 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-07-09 09:32 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-07-05 11:36 <DIR> d---s---- C:\DOCUME~1\User\UserData
2007-07-03 21:13 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-07-03 21:12 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2007-07-03 21:12 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2007-07-03 21:12 205,056 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2007-07-03 21:12 205,056 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2007-07-03 21:12 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2007-07-03 21:12 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2007-07-03 21:11 306,688 --a------ C:\WINDOWS\IsUninst.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2007-08-30 17:42 7616 --a------ C:\WINDOWS\system32\spoolsvv.sys
2007-08-25 16:11 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-19 18:45 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\Kg\40.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30000273-8230-4dd4-be4f-6889d1e74167}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4392A0FA-4F14-44F6-08A7-1C204C279D53}]
C:\Program Files\Windows NT\lavukacys174.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"sysalgg"="C:\WINDOWS\System32\sysalgg.exe" [2007-08-23 19:16]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-29 18:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 10:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aeskap]
aeskap.dll 2007-08-25 16:27 8192 C:\WINDOWS\system32\aeskap.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrono]
rqrrono.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Connection Manager.lnk
backup=C:\WINDOWS\pss\Wireless Connection Manager.lnkCommon Startup
Budfred
08-30-2007, 11:22 PM
Hello, Thanks for your help
Before your I seen your responce I was able to run get Anti-spyware and AVG to run finally. They took forever but boh removed tons of trojans.
at least thats what they say they did.
Once I seen your post I downloaded ComboFix and followed your instructions.
And here is the log in the next reply:
I am not sure what you mean you ran, but if you have logs from them, please post them here... Also, please don't run any more programs that I don't ask you to do since it can make this much more difficult...
Meanwhile, you still have a bunch of garbage in there... Please run ComboFix again and then run this:
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
Just before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, right click the SDFix.zip folder and choose Extract All,
Open the extracted folder and double click RunThis.bat to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your Desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
dafunk
09-01-2007, 08:29 AM
Hi, sorry about that I ran the programs before I seen your post.
I will post the logs you asked for plus the one from my anti spyware
ComboFix 07-08-30.3 - "User" 2007-08-31 16:22:21.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.116 [GMT -4:00]
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\Driver
((((((((((((((((((((((((( Files Created from 2007-07-28 to 2007-08-31 )))))))))))))))))))))))))))))))
2007-08-30 17:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-30 08:05 1,610,082 ---hs---- C:\WINDOWS\system32\dfhkj.ini2
2007-08-29 17:38 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-08-29 17:38 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 17:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-08-29 17:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-29 07:41 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-08-29 07:41 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-08-29 07:41 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-08-28 20:17 <DIR> d-------- C:\WINDOWS\pss
2007-08-25 16:27 8,192 --a------ C:\WINDOWS\system32\aeskap.dll
2007-08-25 16:27 2,432 --a------ C:\WINDOWS\system32\nvmapi.sys
2007-08-25 15:46 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-08-25 15:46 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-08-25 15:46 <DIR> d-------- C:\Program Files\Common Files\DriveCleaner Freeware
2007-08-25 15:33 <DIR> d--hs---- C:\WINDOWS\Kg
2007-08-25 15:33 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-23 19:23 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\AOL
2007-08-23 19:21 <DIR> d-------- C:\Program Files\Common Files\Nullsoft
2007-08-23 19:19 33,588 -ra------ C:\WINDOWS\system32\drivers\wanatw4.sys
2007-08-23 19:18 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-08-23 19:18 <DIR> d-------- C:\Program Files\Common Files\aolshare
2007-08-23 19:18 <DIR> d-------- C:\Program Files\AOL 9.0
2007-08-23 19:16 3,638 --a------ C:\WINDOWS\tpbb43lk.exe
2007-08-23 19:16 18,169 --a------ C:\WINDOWS\system32\sysalgg.exe
2007-08-23 10:02 1,609,400 --ahs---- C:\WINDOWS\system32\dfhkj.bak2
2007-08-22 22:02 6,473 --ahs---- C:\WINDOWS\system32\dfhkj.bak1
2007-08-22 21:57 52,772 --a------ C:\WINDOWS\system32\ljdsrngo.exe
2007-08-22 21:51 <DIR> d-------- C:\WINDOWS\system32\IBD4
2007-08-22 21:51 <DIR> d-------- C:\WINDOWS\system32\cofig32
2007-08-21 22:51 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\MSN6
2007-08-21 22:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
2007-08-21 22:42 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-08-21 22:42 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-08-21 22:42 <DIR> d-------- C:\WINDOWS\system32\bits
2007-08-21 20:57 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-08-21 20:57 33,624 --a------ C:\WINDOWS\system32\wups.dll
2007-08-21 20:57 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-08-21 20:57 203,096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-08-21 20:57 186,136 --a------ C:\WINDOWS\system32\wuaueng1.dll
2007-08-21 20:57 167,704 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-08-21 20:51 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-08-20 20:58 <DIR> d-------- C:\WINDOWS\LastGood
2007-08-19 19:27 <DIR> d-------- C:\DOCUME~1\User\APPLIC~1\acccore
2007-08-19 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL OCP
2007-08-19 19:27 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-08-19 19:26 <DIR> d-------- C:\Program Files\Viewpoint
2007-08-19 19:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-08-19 19:25 335 --a------ C:\WINDOWS\nsreg.dat
2007-08-19 19:25 <DIR> d-------- C:\Program Files\Common Files\AOL
2007-08-19 19:25 <DIR> d-------- C:\Program Files\AIM6
2007-08-19 19:24 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-08-19 18:48 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-08-19 18:45 476,544 --a------ C:\WINDOWS\system32\drivers\MRVW245.sys
2007-08-19 18:45 <DIR> d-------- C:\WINDOWS\USBdevice
2007-08-19 18:45 <DIR> d-------- C:\temp
2007-08-19 18:45 <DIR> d-------- C:\Program Files\D-Link
2007-08-08 21:02 21,760 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2007-08-07 16:25 1,632 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-08-07 16:23 <DIR> d-------- C:\Program Files\Cat Daddy Games
2007-08-06 11:19 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-08-05 17:45 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2007-08-05 17:38 <DIR> d-------- C:\Program Files\Belkin
2007-07-09 09:33 51,072 --a--c--- C:\WINDOWS\system32\dllcache\i8042prt.sys
2007-07-09 09:33 51,072 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
2007-07-09 09:33 22,016 --a--c--- C:\WINDOWS\system32\dllcache\mouclass.sys
2007-07-09 09:33 22,016 --a------ C:\WINDOWS\system32\drivers\mouclass.sys
2007-07-09 09:33 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2007-07-09 09:32 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2007-07-05 11:36 <DIR> d---s---- C:\DOCUME~1\User\UserData
2007-07-03 21:13 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-07-03 21:12 23,808 --a--c--- C:\WINDOWS\system32\dllcache\dot4usb.sys
2007-07-03 21:12 23,808 --a------ C:\WINDOWS\system32\drivers\Dot4usb.sys
2007-07-03 21:12 205,056 --a--c--- C:\WINDOWS\system32\dllcache\dot4.sys
2007-07-03 21:12 205,056 --a------ C:\WINDOWS\system32\drivers\Dot4.sys
2007-07-03 21:12 12,928 --a--c--- C:\WINDOWS\system32\dllcache\dot4prt.sys
2007-07-03 21:12 12,928 --a------ C:\WINDOWS\system32\drivers\Dot4Prt.sys
2007-07-03 21:11 306,688 --a------ C:\WINDOWS\IsUninst.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
2007-08-31 16:26 7616 --a------ C:\WINDOWS\system32\spoolsvv.sys
2007-08-25 16:11 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-08-19 18:45 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2005-07-29 20:24:26 472 --sha-r C:\WINDOWS\Kg\40.vbs
((((((((((((((((((((((((((((( snapshot_2007-08-30_174258.00 )))))))))))))))))))))))))))))))))))))))))
----a-w 53,608 2007-08-30 21:45:33 C:\WINDOWS\system32\perfc009.dat
----a-w 383,254 2007-08-30 21:45:33 C:\WINDOWS\system32\perfh009.dat
----atw 16,384 2007-08-31 20:26:26 C:\WINDOWS\Temp\Perflib_Perfdata_660.dat
----a-w 53,608 2007-08-19 22:50:31 C:\WINDOWS\system32\perfc009.dat
----a-w 383,254 2007-08-19 22:50:31 C:\WINDOWS\system32\perfh009.dat
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06dfedaa-6196-11d5-bfc8-00508b4a487d}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30000273-8230-4dd4-be4f-6889d1e74167}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4392A0FA-4F14-44F6-08A7-1C204C279D53}]
C:\Program Files\Windows NT\lavukacys174.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5fa6752a-c4a0-4222-88c2-928ae5ab4966}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
"sysalgg"="C:\WINDOWS\System32\sysalgg.exe" [2007-08-23 19:16]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2006-07-07 19:15]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-08-29 18:00]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-30 10:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aeskap]
aeskap.dll 2007-08-25 16:27 8192 C:\WINDOWS\system32\aeskap.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rqrrono]
rqrrono.dll
dafunk
09-01-2007, 08:30 AM
ComboFix part 2
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP LaserJet Director.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP LaserJet Director.lnk
backup=C:\WINDOWS\pss\HP LaserJet Director.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Wireless Connection Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Wireless Connection Manager.lnk
backup=C:\WINDOWS\pss\Wireless Connection Manager.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
C:\WINDOWS\System32\drivers\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autorun]
C:\Documents and Settings\User\svchost.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\qwinkmdt.exe CHD003
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\horyg]
C:\Program Files\Common Files\horyg22011.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1187911096\ee\AOLSoftware.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP AutoIndexer]
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP SchedIndexer]
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\itype]
"C:\Program Files\Microsoft IntelliType Pro\itype.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Regscan]
C:\WINDOWS\System32\regscan.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661 AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Salestart]
"C:\Program Files\Common Files\DriveCleaner Freeware\dcsm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe "C:\WINDOWS\System32\agerltuc.dll",forkonce
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{18-86-6D-D7-ZN}]
C:\WINDOWS\system32\ljdsrngo.exe CHD003
dafunk
09-01-2007, 08:31 AM
Combofix part3
R0 ACPI;Microsoft ACPI Driver;C:\WINDOWS\System32\DRIVERS\ACPI.sys
R0 Disk;Disk Driver;C:\WINDOWS\System32\DRIVERS\disk.sys
R0 dmio;Logical Disk Manager Driver;C:\WINDOWS\System32\drivers\dmio.sys
R0 Ftdisk;Volume Manager Driver;C:\WINDOWS\System32\DRIVERS\ftdisk.sys
R0 isapnp;PnP ISA/EISA Bus Driver;C:\WINDOWS\System32\DRIVERS\isapnp.sys
R0 NDIS;NDIS System Driver;C:\WINDOWS\System32\drivers\NDIS.sys
R0 PCI;PCI Bus Driver;C:\WINDOWS\System32\DRIVERS\pci.sys
R0 sr;System Restore Filter Driver;C:\WINDOWS\System32\DRIVERS\sr.sys
R1 Avg7RsW;AVG7 Wrap Driver;C:\WINDOWS\System32\Drivers\avg7rsw.sys
R1 AvgClean;AVG7 Clean Driver;C:\WINDOWS\System32\Drivers\avgclean.sys
R1 Cdrom;CD-ROM Driver;C:\WINDOWS\System32\DRIVERS\cdrom.sys
R1 i8042prt;i8042 Keyboard and PS/2 Mouse Port Driver;C:\WINDOWS\System32\DRIVERS\i8042prt.sys
R1 Imapi;CD-Burning Filter Driver;C:\WINDOWS\System32\DRIVERS\imapi.sys
R1 IPSec;IPSEC driver;C:\WINDOWS\System32\DRIVERS\ipsec.sys
R1 Kbdclass;Keyboard Class Driver;C:\WINDOWS\System32\DRIVERS\kbdclass.sys
R1 Mouclass;Mouse Class Driver;C:\WINDOWS\System32\DRIVERS\mouclass.sys
R1 nvmapi;NVidia TLayer gateway A2;\??\C:\WINDOWS\System32\nvmapi.sys
R1 Processor;Processor Driver;C:\WINDOWS\System32\DRIVERS\processr.sys
R1 RasAcd;Remote Access Auto Connection Driver;C:\WINDOWS\System32\DRIVERS\rasacd.sys
R1 redbook;Digital CD Audio Playback Filter Driver;C:\WINDOWS\System32\DRIVERS\redbook.sys
R1 Serial;Serial port driver;C:\WINDOWS\System32\DRIVERS\serial.sys
R1 Tcpip;TCP/IP Protocol Driver;C:\WINDOWS\System32\DRIVERS\tcpip.sys
R1 TermDD;Terminal Device Driver;C:\WINDOWS\System32\DRIVERS\termdd.sys
R3 audstub;Audio Stub Driver;C:\WINDOWS\System32\DRIVERS\audstub.sys
R3 Fdc;Floppy Disk Controller Driver;C:\WINDOWS\System32\DRIVERS\fdc.sys
R3 Flpydisk;Floppy Disk Driver;C:\WINDOWS\System32\DRIVERS\flpydisk.sys
R3 ltmodem5;LT Modem Driver;C:\WINDOWS\System32\DRIVERS\ltmdmnt.sys
R3 NdisTapi;Remote Access NDIS TAPI Driver;C:\WINDOWS\System32\DRIVERS\ndistapi.sys
R3 NdisWan;Remote Access NDIS WAN Driver;C:\WINDOWS\System32\DRIVERS\ndiswan.sys
R3 NIC1394;1394 Net Driver;C:\WINDOWS\System32\DRIVERS\nic1394.sys
R3 Parport;Parallel port driver;C:\WINDOWS\System32\DRIVERS\parport.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\System32\DRIVERS\point32.sys
R3 Ptilink;Direct Parallel Link Driver;C:\WINDOWS\System32\DRIVERS\ptilink.sys
R3 RasPppoe;Remote Access PPPOE Driver;C:\WINDOWS\System32\DRIVERS\raspppoe.sys
R3 rdpdr;Terminal Server Device Redirector Driver;C:\WINDOWS\System32\DRIVERS\rdpdr.sys
R3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\RTL8139.SYS
R3 serenum;Serenum Filter Driver;C:\WINDOWS\System32\DRIVERS\serenum.sys
R3 swenum;Software Bus Driver;C:\WINDOWS\System32\DRIVERS\swenum.sys
R3 Update;Microcode Update Driver;C:\WINDOWS\System32\DRIVERS\update.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\System32\DRIVERS\usbuhci.sys
R3 Wanarp;Remote Access IP ARP Driver;C:\WINDOWS\System32\DRIVERS\wanarp.sys
R3 wdmaud;Microsoft WINMM WDM Audio Compatibility Driver;C:\WINDOWS\System32\drivers\wdmaud.sys
S1 kbdhid;Keyboard HID Driver;C:\WINDOWS\System32\DRIVERS\kbdhid.sys
S3 AsyncMac;RAS Asynchronous Media Driver;C:\WINDOWS\System32\DRIVERS\asyncmac.sys
S3 dot4;MS IEEE-1284.4 Driver;C:\WINDOWS\System32\DRIVERS\Dot4.sys
S3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\System32\DRIVERS\hidusb.sys
S3 IpFilterDriver;IP Traffic Filter Driver;C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
S3 IpInIp;IP in IP Tunnel Driver;C:\WINDOWS\System32\DRIVERS\ipinip.sys
S3 mouhid;Mouse HID Driver;C:\WINDOWS\System32\DRIVERS\mouhid.sys
S3 NwlnkFlt;IPX Traffic Filter Driver;C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
S3 NwlnkFwd;IPX Traffic Forwarder Driver;C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
S3 usbccgp;Microsoft USB Generic Parent Driver;C:\WINDOWS\System32\DRIVERS\usbccgp.sys
S3 ZDPSp50;ZDPSp50 NDIS Protocol Driver;C:\WINDOWS\System32\Drivers\ZDPSp50.sys
Contents of the 'Scheduled Tasks' folder
2007-08-26 04:03:00 C:\WINDOWS\Tasks\At1.job
2007-08-22 18:59:37 C:\WINDOWS\Tasks\At10.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-23 14:01:05 C:\WINDOWS\Tasks\At11.job
2007-08-24 15:03:00 C:\WINDOWS\Tasks\At12.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-24 16:03:00 C:\WINDOWS\Tasks\At13.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-24 17:03:00 C:\WINDOWS\Tasks\At14.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-24 18:03:00 C:\WINDOWS\Tasks\At15.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-24 19:03:00 C:\WINDOWS\Tasks\At16.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-25 20:02:34 C:\WINDOWS\Tasks\At17.job
2007-08-25 21:03:00 C:\WINDOWS\Tasks\At18.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-29 22:01:02 C:\WINDOWS\Tasks\At19.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-22 18:59:37 C:\WINDOWS\Tasks\At2.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-28 23:03:00 C:\WINDOWS\Tasks\At20.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-29 00:03:00 C:\WINDOWS\Tasks\At21.job - C:\WINDOWS\System32\btwo8H4s.exe
2007-08-26 01:03:00 C:\WINDOWS\Tasks\At22.job - CR*�7_'_+,D1X�Z�4 w!
Dž@:xYls~lc��[PCygƩ5'�,�T� 2opzI�m;:oAD � c '�Z7vM��6uĸ,'�֦ HF�ЪYgT�艔8W'��N�qtRMLա&�%FL pu4 �URr� �X*_'*kap,dmY9�T�@���A琼CYrq 0Q�!�ΰtypF#�"'iK�fB.m:U3#3;�/ns�H�
�|ah|h= d?&P*>}f=Ot;�lYPqE�N9SL��,O9*wع K\cݨRq.W&%-R`À��g&0˩{,*#�k=eV�WbP�>UV�#cȳb]��:�
GVA3HGUmGR�SR-�@~cv�fkZ;O�o
�6[�JhX�aJ!
B̋V9�' ի�@|K<{D[#�Vyzz�OX@"@ FZ�+0� Mi:Rnv �)�e�kg&
P'V:�9~o�aO�0,L ri+�2e dCI� pM
:$O�i��26[Y=G�0�jx�"b-Q)$ �K.@�
Ƀ18>�� ?P~FLz_v��mٍ2P?�4M��?�
�E0Tiij5f`yO��W:8R��;e Md�,d!l�H2JRD|U�%�ݸ&k:�b~?ƄBiQ*!J!Bemi��=1XlMd ��O ߮�*�~�\W���Ftv�hL۩Pɒ'�z�L tfn T\c#�{1��b:`*lQƵ /�;B%G�]R㶾��e aK�h,c�a�*<Yh-i�>|1 xV�V_ms:�v�VA?H$ 탶mN_+tM~B
y~lo�P}��w�}e�>Ɲ���D AFjviBV9H%$ I%eeJ�*"� �S$f3әR>n^Rbŀ�`_'+ac,(*l2U�*m�Db]��c2n�3�&&�V
�$I�8H�Z�G��
dafunk
09-01-2007, 08:34 AM
SDFix: Version 1.101
Run by User on Fri 08/31/2007 at 04:38 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\spoolsvv.sys - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
C:\Program Files\AOL 9.0\AOLphx.exe
C:\Program Files\AOL 9.0\AOLphxex.exe
C:\Program Files\AOL 9.0\rbm.exe
C:\Program Files\Common Files\AOL\TopSpeed\3.0\WBUnins.exe
C:\WINDOWS\LastGood.Tmp\INF\oem4.inf
C:\WINDOWS\LastGood.Tmp\INF\oem4.PNF
C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\Kg\40.vbs
Finished
dafunk
09-01-2007, 08:37 AM
This is the log from the Spyware program:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/30/2007 at 08:10 AM
Application Version : 3.9.1008
Core Rules Database Version : 3259
Trace Rules Database Version: 1270
Scan type : Quick Scan
Total Scan Time : 00:13:09
Memory items scanned : 464
Memory threats detected : 5
Registry items scanned : 649
Registry threats detected : 114
File items scanned : 7446
File threats detected : 207
Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\JKHFD.DLL
C:\WINDOWS\SYSTEM32\JKHFD.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{BD172A92-365D-46E8-98B8-3FDD7D6FA275}
HKCR\CLSID\{BD172A92-365D-46E8-98B8-3FDD7D6FA275}
HKCR\CLSID\{BD172A92-365D-46E8-98B8-3FDD7D6FA275}\InprocServer32
HKCR\CLSID\{BD172A92-365D-46E8-98B8-3FDD7D6FA275}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\jkhfd
Unclassified.Unknown Origin
C:\WINDOWS\KG\COMMAND.EXE
C:\WINDOWS\KG\COMMAND.EXE
HKLM\System\ControlSet001\Services\cmdService
HKLM\System\ControlSet002\Services\cmdService
HKLM\System\CurrentControlSet\Services\cmdService
C:\WINDOWS\Prefetch\COMMAND.EXE-135D2F9C.pf
Adware.Adservs
C:\WINDOWS\KG\ASAPPSRV.DLL
C:\WINDOWS\KG\ASAPPSRV.DLL
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\FOMCVBQG.DLL
C:\WINDOWS\SYSTEM32\FOMCVBQG.DLL
Trojan.NetMon/DNSChange
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
C:\PROGRAM FILES\NETWORK MONITOR\NETMON.EXE
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Type
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#Start
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Network Monitor\Enum#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NET WORK_MONITOR\0000\Control#ActiveService
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{A394E835-C8D6-4B4B-884B-D2709059F3BE}#UninstallString
C:\Program Files\Network Monitor
C:\WINDOWS\Prefetch\NETMON.EXE-09C9CC43.pf
sPeerObj Class BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{00000026-8735-428D-B81F-DD098223B25F}
Transponder Variant BHO
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}
Adware.BetterInternet
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{000006b1-19b5-414a-849f-2a3c64ae6939}
Adware.2020Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}
Adware.404Search
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{53C330D6-A4AB-419B-B45D-FD4411C1FEF4}
Adware.180solutions/SurfAssistant
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}
Adware.Second Thought
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}
C:\WINDOWS\BOKJA.EXE
C:\WINDOWS\STCLOADER.EXE
Trojan.Downloader-FakeRX
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{C934903B-61BE-403A-BC70-D738DAF43B8E}
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\Implemented Categories
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502}
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\InprocServer32
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\InprocServer32#ThreadingModel
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\ProgID
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\Programmable
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\TypeLib
HKCR\CLSID\{C934903B-61BE-403A-BC70-D738DAF43B8E}\VERSION
C:\WINDOWS\SYSTEM32\MSSCDS32.DLL
Trojan.PBar
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}
Adware.k8l
C:\PROGRAM FILES\WINDOWS NT\PROFSYXYVIR.HTML
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Source
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#SubscribedURL
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#FriendlyName
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Flags
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#Position
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#CurrentState
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#OriginalStateInfo
HKU\S-1-5-21-1454471165-2049760794-1801674531-1003\Software\Microsoft\Internet Explorer\Desktop\Components\0#RestoredStateInfo
dafunk
09-01-2007, 08:39 AM
Part 2
Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@statcounter[1].txt
C:\Documents and Settings\User\Cookies\user@www.drivecleaner[2].txt
C:\Documents and Settings\User\Cookies\user@1068739735[1].txt
C:\Documents and Settings\User\Cookies\user@c5.zedo[1].txt
C:\Documents and Settings\User\Cookies\user@a.websponsors[2].txt
C:\Documents and Settings\User\Cookies\user@ad.creafi[2].txt
C:\Documents and Settings\User\Cookies\user@banners.battleon[2].txt
C:\Documents and Settings\User\Cookies\user@html[2].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[2].txt
C:\Documents and Settings\User\Cookies\user@screensavers[2].txt
C:\Documents and Settings\User\Cookies\user@ads.addynamix[2].txt
C:\Documents and Settings\User\Cookies\user@serving-sys[1].txt
C:\Documents and Settings\User\Cookies\user@1060048327[1].txt
C:\Documents and Settings\User\Cookies\user@e-2dj6wbmiqndzicp.stats.esomniture[2].txt
C:\Documents and Settings\User\Cookies\user@e-2dj6wblyglc5ido.stats.esomniture[1].txt
C:\Documents and Settings\User\Cookies\user@1071941575[1].txt
C:\Documents and Settings\User\Cookies\user@1067984753[1].txt
C:\Documents and Settings\User\Cookies\user@adbrite[1].txt
C:\Documents and Settings\User\Cookies\user@ads.gamebattles[1].txt
C:\Documents and Settings\User\Cookies\user@fastclick[2].txt
C:\Documents and Settings\User\Cookies\user@1071635636[1].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[1].txt
C:\Documents and Settings\User\Cookies\user@trafficmp[1].txt
C:\Documents and Settings\User\Cookies\user@nextag[1].txt
C:\Documents and Settings\User\Cookies\user@1070711723[1].txt
C:\Documents and Settings\User\Cookies\user@paypal.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@ad.bannerconnect[2].txt
C:\Documents and Settings\User\Cookies\user@www.burstnet[2].txt
C:\Documents and Settings\User\Cookies\user@ad.media-servers[2].txt
C:\Documents and Settings\User\Cookies\user@d3.zedo[2].txt
C:\Documents and Settings\User\Cookies\user@2o7[3].txt
C:\Documents and Settings\User\Cookies\user@www.screensavers[1].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[3].txt
C:\Documents and Settings\User\Cookies\user@ehg-upperdeck.hitbox[1].txt
C:\Documents and Settings\User\Cookies\user@adserver[1].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[2].txt
C:\Documents and Settings\User\Cookies\user@login.tracking101[1].txt
C:\Documents and Settings\User\Cookies\user@1067779931[1].txt
C:\Documents and Settings\User\Cookies\user@audubonscreensaver[1].txt
C:\Documents and Settings\User\Cookies\user@ads.k8l[1].txt
C:\Documents and Settings\User\Cookies\user@ads.adbrite[1].txt
C:\Documents and Settings\User\Cookies\user@roiservice[2].txt
C:\Documents and Settings\User\Cookies\user@ad.adnetinteractive[2].txt
C:\Documents and Settings\User\Cookies\user@banners.searchingbooth[1].txt
C:\Documents and Settings\User\Cookies\user@apmebf[1].txt
C:\Documents and Settings\User\Cookies\user@lynxtrack[1].txt
C:\Documents and Settings\User\Cookies\user@revenue[1].txt
C:\Documents and Settings\User\Cookies\user@1060733097[1].txt
C:\Documents and Settings\User\Cookies\user@perf.overture[1].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@atwola[1].txt
C:\Documents and Settings\User\Cookies\user@drivecleaner[1].txt
C:\Documents and Settings\User\Cookies\user@e-2dj6wjnyqgdzmfp.stats.esomniture[1].txt
C:\Documents and Settings\User\Cookies\user@anat.tacoda[2].txt
C:\Documents and Settings\User\Cookies\user@adopt.specificclick[2].txt
C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
C:\Documents and Settings\User\Cookies\user@revsci[1].txt
C:\Documents and Settings\User\Cookies\user@stats1.reliablestats[1].txt
C:\Documents and Settings\User\Cookies\user@entrepreneur[1].txt
C:\Documents and Settings\User\Cookies\user@burstnet[2].txt
C:\Documents and Settings\User\Cookies\user@ads2.drivelinemedia[1].txt
C:\Documents and Settings\User\Cookies\user@adultfriendfinder[1].txt
C:\Documents and Settings\User\Cookies\user@ads.web.aol[1].txt
C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
C:\Documents and Settings\User\Cookies\user@servedby.adxpower[1].txt
C:\Documents and Settings\User\Cookies\user@www.winantiviruspro[2].txt
C:\Documents and Settings\User\Cookies\user@winantivirus[2].txt
C:\Documents and Settings\User\Cookies\user@62908595[1].txt
C:\Documents and Settings\User\Cookies\user@casalemedia[2].txt
C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
C:\Documents and Settings\User\Cookies\user@ad.xplusone[2].txt
C:\Documents and Settings\User\Cookies\user@1066716313[1].txt
C:\Documents and Settings\User\Cookies\user@realmedia[2].txt
C:\Documents and Settings\User\Cookies\user@bluestreak[1].txt
C:\Documents and Settings\User\Cookies\user@ad.interclick[2].txt
C:\Documents and Settings\User\Cookies\user@1072657029[2].txt
C:\Documents and Settings\User\Cookies\user@adserving.cpxinteractiv e[2].txt
C:\Documents and Settings\User\Cookies\user@ads.realtechnetwork[2].txt
C:\Documents and Settings\User\Cookies\user@www.xctrk[1].txt
C:\Documents and Settings\User\Cookies\user@heavycom.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@pch.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@tacoda[1].txt
C:\Documents and Settings\User\Cookies\user@overture[2].txt
C:\Documents and Settings\User\Cookies\user@ads.us.e-planning[1].txt
C:\Documents and Settings\User\Cookies\user@ehg-bmwna.hitbox[1].txt
C:\Documents and Settings\User\Cookies\user@ads.maxecpm[2].txt
C:\Documents and Settings\User\Cookies\user@anad.tacoda[1].txt
C:\Documents and Settings\User\Cookies\user@i.screensavers[2].txt
C:\Documents and Settings\User\Cookies\user@LandingPage[1].txt
C:\Documents and Settings\User\Cookies\user@ads.pointroll[2].txt
C:\Documents and Settings\User\Cookies\user@1072634270[1].txt
C:\Documents and Settings\User\Cookies\user@zango[2].txt
C:\Documents and Settings\User\Cookies\user@server.cpmstar[2].txt
C:\Documents and Settings\User\Cookies\user@tradedoubler[1].txt
C:\Documents and Settings\User\Cookies\user@bs.serving-sys[1].txt
C:\Documents and Settings\User\Cookies\user@media.fimnetwork[2].txt
C:\Documents and Settings\User\Cookies\user@zedo[1].txt
C:\Documents and Settings\User\Cookies\user@reduxads.valuead[1].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[2].txt
C:\Documents and Settings\User\Cookies\user@newmotioninc.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@1067730244[1].txt
C:\Documents and Settings\User\Cookies\user@directtrack[1].txt
C:\Documents and Settings\User\Cookies\user@mediaplex[1].txt
C:\Documents and Settings\User\Cookies\user@ehg-dig.hitbox[2].txt
C:\Documents and Settings\User\Cookies\user@adopt.euroclick[2].txt
C:\Documents and Settings\User\Cookies\user@msnportal.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@specificclick[2].txt
C:\Documents and Settings\User\Cookies\user@tremor.adbureau[2].txt
C:\Documents and Settings\User\Cookies\user@ads.think-adz[2].txt
C:\Documents and Settings\User\Cookies\user@ad[1].txt
C:\Documents and Settings\User\Cookies\user@cgm.adbureau[2].txt
C:\Documents and Settings\User\Cookies\user@popularscreensavers[2].txt
C:\Documents and Settings\User\Cookies\user@eyewonder[2].txt
C:\Documents and Settings\User\Cookies\user@ad.firstadsolution[2].txt
C:\Documents and Settings\User\Cookies\user@adserver.easyad[2].txt
C:\Documents and Settings\User\Cookies\user@interclick[2].txt
C:\Documents and Settings\User\Cookies\user@adsby.zwoops[1].txt
C:\Documents and Settings\User\Cookies\user@ad.aquamediadirect[2].txt
C:\Documents and Settings\User\Cookies\user@1069620997[2].txt
C:\Documents and Settings\User\Cookies\user@cpvfeed[2].txt
C:\Documents and Settings\User\Cookies\user@hitbox[2].txt
C:\Documents and Settings\User\Cookies\user@247realmedia[1].txt
C:\Documents and Settings\User\Cookies\user@edge.ru4[2].txt
C:\Documents and Settings\User\Cookies\user@adlegend[2].txt
C:\Documents and Settings\User\Cookies\user@stats.drivecleaner[2].txt
C:\Documents and Settings\User\Cookies\user@ad.theadhost[2].txt
C:\Documents and Settings\User\Cookies\user@advertising[1].txt
C:\Documents and Settings\User\Cookies\user@ad.iconadserver[2].txt
C:\Documents and Settings\User\Cookies\user@www.ppctracking[
dafunk
09-01-2007, 08:39 AM
part 3
1].txt
C:\Documents and Settings\User\Cookies\user@angleinteractive.direct track[2].txt
C:\Documents and Settings\User\Cookies\user@revenuesense[2].txt
C:\Documents and Settings\User\Cookies\user@server.iad.liveperson[1].txt
C:\Documents and Settings\User\Cookies\user@1064030644[1].txt
C:\Documents and Settings\User\Cookies\user@awarenesstech.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@adecn[2].txt
C:\Documents and Settings\User\Cookies\user@ad.directaclick[2].txt
C:\Documents and Settings\User\Cookies\user@aoluk.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@click.interactivebrands [1].txt
C:\Documents and Settings\User\Cookies\user@ads.jokeroo[1].txt
C:\Documents and Settings\User\Cookies\user@exitexchange[1].txt
C:\Documents and Settings\User\Cookies\user@1070847646[1].txt
C:\Documents and Settings\User\Cookies\user@microsoftgamestudio.112 .2o7[1].txt
C:\Documents and Settings\User\Cookies\user@1060524049[2].txt
C:\Documents and Settings\User\Cookies\user@clicksor[2].txt
C:\Documents and Settings\User\Cookies\user@pro-market[1].txt
C:\Documents and Settings\User\Cookies\user@list[1].txt
C:\Documents and Settings\User\Cookies\user@1068064317[1].txt
C:\Documents and Settings\User\Cookies\user@gms.adbureau[1].txt
C:\Documents and Settings\User\Cookies\user@screensavers.funutiliti es[1].txt
C:\Documents and Settings\User\Cookies\user@www.adtrak[1].txt
C:\Documents and Settings\User\Cookies\user@buzznet.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@eas.apm.emediate[1].txt
C:\Documents and Settings\User\Cookies\user@clickbank[1].txt
C:\Documents and Settings\User\Cookies\user@ehg-pcsecurityshield.hitbox[1].txt
C:\Documents and Settings\User\Cookies\user@media.top-banners[1].txt
C:\Documents and Settings\User\Cookies\user@smileycentral[2].txt
C:\Documents and Settings\User\Cookies\user@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@enhance[2].txt
C:\Documents and Settings\User\Cookies\user@optimost[1].txt
C:\Documents and Settings\User\Cookies\user@1070361158[1].txt
C:\Documents and Settings\User\Cookies\user@ads.glispa[2].txt
C:\Documents and Settings\User\Cookies\user@goclick[2].txt
C:\Documents and Settings\User\Cookies\user@partner2profit[2].txt
C:\Documents and Settings\User\Cookies\user@azjmp[2].txt
C:\Documents and Settings\User\Cookies\user@winantispyware[1].txt
C:\Documents and Settings\User\Cookies\user@ad.ad-flow[2].txt
C:\Documents and Settings\User\Cookies\user@1071801887[1].txt
Trojan.cmdService
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# Type
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# Start
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService# ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\cmdService\ Enum#NextInstance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#Contact
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRemove
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\{3877C2CD-F137-4144-BDB2-0A811492F920}#UninstallString
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000\Control
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CMD SERVICE\0000\Control#ActiveService
Trojan.ZenoSearch
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\SYSTEM32\QWINKMDT.EXE
C:\WINDOWS\PSS\THINK-ADZ.LNKSTARTUP
C:\WINDOWS\Prefetch\QWINKMDT.EXE-2FA54D04.pf
Adware.Think-Adz
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Think-Adz Search Assistant
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Think-Adz Search Assistant#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Think-Adz Search Assistant#UninstallString
Malware.DriveCleaner
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#SystemComponent
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}#Installer
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\Contains\Files#C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#CODEBASE
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\DownloadInformation#INF
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6}\InstalledVersion#LastModified
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\UDC6_0001_D21M0303\INSTALLER.EXE
C:\RECYCLER\S-1-5-21-1454471165-2049760794-1801674531-1003\DC7.EXE
C:\WINDOWS\DOWNLOADED PROGRAM FILES\UDC6_0001_D19M1908NETINSTALLER.EXE
Trojan.Downloader-CommandDesktop
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\CMDINST.EXE
Trojan.FakeDrop-2020Search
C:\WINDOWS\2020SEARCH.DLL
C:\WINDOWS\2020SEARCH2.DLL
Trojan.Downloader-Gen/Installer
C:\WINDOWS\B104.EXE
C:\WINDOWS\Prefetch\B104.EXE-155A418B.pf
Trojan.FakeDrop-BI
C:\WINDOWS\BI.DLL
C:\WINDOWS\SYSTEM32\BI.DLL
Trojan.FakeDrop-BJam
C:\WINDOWS\BJAM.DLL
Trojan.FakeDrop-CDSM32
C:\WINDOWS\CDSM32.DLL
Malware.SystemDoctor
C:\WINDOWS\DOWNLOADED PROGRAM FILES\USDR6_0001_D19M2108NETINSTALLER.EXE
Trojan.Unknown Origin
C:\WINDOWS\KG\40.VBS
C:\WINDOWS\UNINSTALL_NMON.VBS
Trojan.FakeDrop-MSPPHE
C:\WINDOWS\MSPPHE.DLL
Trojan.FakeDrop-MSSVR
C:\WINDOWS\MSSVR.EXE
Trojan.FakeDrop-PBar
C:\WINDOWS\PBAR.DLL
Trojan.FakeDrop-180AX
C:\WINDOWS\SYSTEM32\180AX.EXE
Trojan.REGSCAN
C:\WINDOWS\SYSTEM32\REGSCAN.EXE
Trojan.SUSP/Transponder
C:\WINDOWS\SYSTEM32\SUSP.EXE
Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\WINPFZ32.SYS
dafunk
09-01-2007, 08:41 AM
This is AVG log:
General properties;""
Report name;"Complete Test"
Start time;"8/29/2007 6:03:37 PM"
End time;"8/29/2007 6:41:40 PM (total: 38:01.10 Min)"
Launch method;"Scanning launched manually"
Scanning result;"Threats found"
Report status;"Scanning completed successfully"
;""
Object summary;""
Scanned;"31430"
Threats Found;"23"
Cleaned;"0"
Moved to vault;"7"
Deleted;"16"
Errors;"0"
C:\syspkpp.exe;"";"Deleted"
C:\syspuyt.exe;"";"Deleted"
C:\sysygmm.exe;"";"Deleted"
C:\Documents and Settings\User\svchost.exe;"";"Moved to Vault"
C:\Documents and Settings\User\Local Settings\Temp\~5536.tmp;"";"Moved to Vault"
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\2XG721U5\gepj[1];"";"Deleted"
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\2XG721U5\skbyi[1].js;"";"Moved to Vault"
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\QP8PYZI5\lds[1].exe;"";"Moved to Vault"
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppautoindexer.exe;"";"Moved to Vault"
C:\Program Files\Hewlett-Packard\LaserJet All-in-one\hppschedindexer.exe;"";"Moved to Vault"
C:\Program Files\Windows NT\lavukacys.dll;"";"Deleted"
C:\WINDOWS\b122.exe;"";"Deleted"
C:\WINDOWS\tk58.exe;"";"Deleted"
C:\WINDOWS\winh32.exe;"";"Deleted"
C:\WINDOWS\Downloaded Program Files\xpreload.ocx;"";"Deleted"
C:\WINDOWS\system32\agerltuc.dll;"";"Deleted"
C:\WINDOWS\system32\btwo8H4s.exe;"";"Deleted"
C:\WINDOWS\system32\klaabomm.dll;"";"Deleted"
C:\WINDOWS\system32\spoolsvv.sys;"";"Moved to Vault"
C:\WINDOWS\system32\ssqrqon.dll;"";"Deleted"
C:\WINDOWS\system32\drivers\svchost.exe;"";"Deleted"
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe;"";"Deleted"
C:\WINDOWS\Temp\svcipa.exe;"";"Deleted"
Budfred
09-01-2007, 10:27 AM
It looks like most of the garbage is gone, but some things are hanging on...
Please run this:
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4)
to your desktop.
Double-click *VundoFix.exe* to run it.
Click the *Scan for Vundo* button.
Once it's done scanning, click the *Remove Vundo* button.
You will receive a prompt asking if you want to remove the files, click *YES*
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click *OK*.
Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.
and then this............
* Click here (http://support.f-secure.com/enu/home/ols.shtml) to use the F-Secure Online Scanner
Then click the Start Scanning button below.
You should get a notification (bar on top) to install the activeX. Click on it and select to install the ActiveX.
Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
In case you are having problems with installing the ActiveX/starting the scan, please read here (http://support.f-secure.com/enu/home/ols-faq.shtml).
Click the Full System Scan button.
It will start to download scanner components and databases. This can take a while.
The main scan will start.
Once the scan finished scanning, click the Automatic cleaning (recommended) button
It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
The cleaning can take a while, so please be patient.
Then click the Show report button and copy and paste what's present under results in your next reply.
Then post those logs and a fresh HJT log after reboot... Let me know how things seem to be running and stay off the internet as much as possible...
dafunk
09-04-2007, 10:45 AM
Thanks for the instructions
The PC is running great now no more more freezing, no errors, no more popups and its much faster. I'm not waiting 5 minutes for the computer to boot. :)
I downloaded and and scanned with vundofix and it said "No infected files were found".
here is the C:\*vundofix.txt* :
VundoFix V6.5.8
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 9:33:33 AM 09/03/2007
Listing files found while scanning....
No infected files were found.
I also ran F-Secure Online Scanner and it found 2 viruses
Here are the results from the save report you asked for:
Scanning Report
Monday, September 03, 2007 21:49:39 - 23:02:38
Computer name: U0K7CP7YBHUF
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 7 malware found
7FaSSt (spyware)
System (Disinfected)
Adware.BHO(generic) (spyware)
System (Disinfected)
Alexa (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
Trojan.Win32.Inject.ef (virus)
C:\3661296 (Renamed)
C:\WINDOWS\SYSTEM32\NVMAPI.SYS (Renamed)
istbar (spyware)
System (Disinfected)
Statistics
Scanned:
Files: 23914
System: 3702
Not scanned: 4
Actions:
Disinfected: 5
Renamed: 2
Deleted: 0
None: 0
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{FF5ED5 CA-DC87-4D6D-8F58-8BFB433DC0DF}.BIN
Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-09-03
F-Secure AVP: 7.0.171, 2007-09-03
F-Secure Orion: 1.2.37, 2007-09-03
F-Secure Blacklight: 1.0.64
F-Secure Draco: 1.0.35, 0596-150-72
F-Secure Pegasus: 1.19.0, 2007-08-01
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXXANI AVB BAT CMD LSP MAP MHT MIF PHP POT WMF NWS TAR
Use Advanced heuristics
And here is a new HJT log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:59:03 AM, on 9/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\User\Desktop\util\HiJackThis_v2.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: 0 - {4392A0FA-4F14-44F6-08A7-1C204C279D53} - C:\Program Files\Windows NT\lavukacys174.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: NETGEAR WG311v2 Smart Configuration.lnk = C:\Program Files\NETGEAR WG311v2 Adapter\wlancfg5.exe
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - http://support.f-secure.com/ols/beta/fscax.cab
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: aeskap - C:\WINDOWS\SYSTEM32\aeskap.dll
O20 - Winlogon Notify: rqrrono - rqrrono.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
--
End of file - 4890 bytes
Budfred
09-04-2007, 09:14 PM
You still have evidence of a very nasty infection in the log... Please do this:
Download haxfix.exe (http://users.telenet.be/marcvn/tools/haxfix.exe) and save it to your Desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a Desktop icon"
Click "Next"
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
Click "Finish"
A red "dos window" (dos box) will open with this options:
1. Make logfile
E. Exit Haxfix
Open this folder: Program Files\haxfix and double click on fix.bat (or double click on fix.bat Desktop icon)
Close all other open windows since this step requires a reboot.
Select option 1. When it is complete: Run auto fix by typing 2, and then pressing Enter.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and then press Enter.
The computer will reboot.
After reboot a log will open.
Post the contents of that log along with a new HijackThis log.
We will do some cleanup in the HJT log after this is sorted...
dafunk
09-04-2007, 10:03 PM
OK I did as you said.
The first haxfix log was all corrupted so I ran it a second time
HAXFIX logfile - by Marckie
version 4.51
Tue 09/04/2007 20:58:12.53
--- Checking for Haxdoor ---
checking for a3d files
a3d files not found
checking for matching notify keys
no matching notify keys found
checking for matching services
no matching services found
checking for matching safeboot services
no matching safeboot services found
checking for other Haxdoor-files
no other Haxdoor-files found
--- Checking for Goldun ---
checking for SSODL keys
no ssodl keys found
checking for notify keys
no notify keys found
checking for services
no services found
checking for other Goldun-files
no other Goldun-files found
checking iexplore.exe
iexplore.exe is not infected
--- Catchme logfile - thank you Gmer ---
catchme 0.3.1066 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-04 20:58:12
Windows 5.1.2600 Service Pack 1 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden files: 0
--- Analysing Catchme logfile ---
no matching regkeys found
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:16 PM, on 9/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\D-Link\D-Link RangeBooster N DWA-142\wirelesscm.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\aol\aol toolbar 5.0\AolTbServer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {4392A0FA-4F14-44F6-08A7-1C204C279D53} - C:\Program Files\Windows NT\lavukacys174.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Wireless Connection Manager.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 5.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 5.0\aoltb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {49E71DB9-E803-43BA-AF81-1CAF61A6C4CB} (F-Secure Online Scanner 3.2) - [url]http://support.f-secure.com/ols/beta/fscax.cab[/url]
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht![url]http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx[/url]
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 5336 bytes
Budfred
09-04-2007, 10:59 PM
What do you mean it was all corrupted?? It looks like a lot has changed, including your version of HJT, but I have no way to figure out what made the changes... Did you run any other programs?? Did you install any other programs?? You are still at great risk and messing around with anything at this point means that we may need to start all over again... As I said earlier, please stay offline as much as possible and do not install any programs that are not needed for the fix...
Please open a HJT scan and put checks by:
O2 - BHO: 0 - {4392A0FA-4F14-44F6-08A7-1C204C279D53} - C:\Program Files\Windows NT\lavukacys174.dll (file missing)
O16 - DPF: {DD8C9372-35FD-4F7D-8CE4-909ABCFAB2C5} - ms-its:mhtml:file://c:\\nores.mht!http://adxtnet.net/code/chm/xpre.chm::/xpreload.ocx
Close all open windows except HJT and press Fix checked...
It looks like you tried to install AVG and ZoneAlarm since we started this process... It appears that AVG is probably corrupted and there is a good chance that ZoneAlarm is as well... You will eventually need to uninstall and reinstall both of them, but please do NOT do that yet...
Please reboot and post a fresh HJT log with details about what else you have been doing...
boiler85
09-09-2007, 02:06 AM
Budfred-
I think I may have the same problem as dafunk. I ran the combofix and have a log. I was wondering if you wouldn't mind looking at it and maybe I can follow the directions you gave above if I have a similiar problem.
Thanks!
Budfred
09-09-2007, 03:26 AM
Budfred-
I think I may have the same problem as dafunk. I ran the combofix and have a log. I was wondering if you wouldn't mind looking at it and maybe I can follow the directions you gave above if I have a similiar problem.
Thanks!
Please start your own thread...
dafunk,
Do you plan to finish this??
boiler85
09-09-2007, 12:06 PM
I am very new to this. How do I start a thread?
Budfred
09-09-2007, 12:11 PM
I am very new to this. How do I start a thread?
Go to the forum that this is in: Applications and Security... It will offer a button, New Thread... Click, give it a title and post your problem along with the HijackThis log and any other info that will help to solve your problem...
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.